Advanced Email Deliverability: Implementing DMARC

Mailboxes-DMARC

If you’re a company that emails no one and that no one’s heard of, chances are you’re not too worried about someone sending fraudulent email claiming to be you. On the other hand, if you’re a company that has recognition among its customers as trustworthy or you operate in an industry where trust is paramount, such as healthcare or financial services, then there’s a good chance unsavory types are attempting to scam your customers through phishing, claiming to be you in emails.

That’s where the DMARC protocol comes in. DMARC, or Domain-based Message Authentication, Reporting, and Conformance, helps Internet Service Providers like GMail, Hotmail, AOL, Yahoo Mail, and many others deliver only legitimate email from you, and not from scammers pretending to be you.

How DMARC Works

At its core, DMARC is a combination of Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). Imagine sending a piece of paper mail for a moment. DKIM checks to see if you mailed from your company mailroom and SPF checks to see that you used your corporate stationery. You could put fraudulent mail in your mailroom for pickup by the postman, or you could put a fake envelope on mail pretending to be someone else, but it’s really hard for the average scammer to put a fake message in your company’s stationery inside your company’s mailroom.

DMARC does the digital equivalent of checking to see that the stationery is your company’s and that you sent it from your mailroom.

How to Get Started with DMARC

Here’s the good news: if you’re a WhatCounts customer, chances are you’re already 95% set up. Since DMARC is built on top of SPF and DKIM, you have to make sure those are implemented correctly in your Domain Name System (DNS). If you need help setting those up, there are wizards for SPF and DKIM that can speed along the process. (WhatCounts customers should contact their account managers instead)

The next step, assuming that DKIM and SPF are operating correctly, is to add a DNS record for DMARC that initially tells it to monitor for fraudulent activity and provide a daily report to your postmaster or mail administrator. The format for this is straightforward for anyone experienced in editing DNS:

_dmarc.example.com IN TXT “v=DMARC1; p=none; rua=mailto:postmaster@example.com”

where example.com is your company’s domain and the postmaster address is substituted for your postmaster’s address.

You’ll get a daily email from major ISPs like GMail that tell you how many messages were received that failed DMARC, which will let you adjust your SPF and DKIM settings. Once you’ve gotten everything tuned, you can then update your DMARC from monitor mode (shown above) to quarantine or reject modes, where you’re actively telling ISPs to reject email that fails the DMARC test.

Why not go straight to reject mode? There’s a chance that something in your SPF or DKIM records is misconfigured, and if you implemented DMARC in reject mode, you could accidentally stop sending all legitimate email to many customers. Start in monitor mode, and then when you’re ready, you can change to reject mode with this:

_dmarc.example.com IN TXT “v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@example.com”

I hope this overview of the DMARC protocol is helpful to you in getting started with DMARC. It’s already in wide use among the major B2C email services like GMail and Hotmail, it costs nothing except time, and it can help reduce fraudulent messages to your customers once deployed.

Christopher S. Penn
Director of Inbound Marketing, WhatCounts